Relevant Items

Self-Signed Versus Trusted CA Certificates

In most cases you have to sign your code in order to get it installed on the operating system. You can sign your code using a self-signed certificate or using a certificate issued by a publicly-trusted CA.

Due to the costs of buying a code signing certificate from a publicly-trusted CA, some users will decide to try a self-signed certificate. Here is what you need to consider.

Self-Signed Certificate:

  • Issued using software that the user has and controls
  • Signatures will provide a trust warning indicating that there was an un-verified publisher and will  display “Unknown Publisher”
  • Compromised certificates cannot be revoked and could harm the users of your software

screenshot of security warning

Certificates Issued from a Publicly-Trusted CA:

  • CA performs identity verification which is displayed in the trust dialogue
  • Compromised certificates can be revoked and if time-stamping was used code signed before revocation will remain trusted

For user trust and the longevity of your code, it is recommended that you use a certificate issued from a publicly-trusted CA.

This is the seventh post in our code-signing. Check out the full list to read past entries and see what’s upcoming.

Bruce Morton

Bruce Morton
Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.